Merchant Account Alerts

The online retailer Zappos just had a data security breach where they lost 24 Million customer’s personal information records. This loss included names, addresses, email and phone numbers, encrypted passwords, but did not include credit card information.

No doubt that thoughtful security planning prevented the loss of credit card or financially sensitive information. However, it doesn’t really lessen the reality that the repercussions from the Zappos breach could be huge. Does data security go far enough if we accept that personal information is completely acceptable to be lost as long as financial information is not?

With the amount of personal information that was obtained in the Zappos breach, the thieves have a very lucrative marketing or hacking information package.

On the marketing side

Companies pay a lot of money for targeted marketing lists like the one that Zappos inadvertently provided. Let’s see, here’s a list of 24 million people that definitely buy things online, most likely shoes or clothing items, FIRE AWAY…

This information is a telemarketer or direct marketer’s dream, and they can target these known shoppers via phone, mail, and email.

On the hacking side

I can almost guarantee that Zappos customers are going to receive an onslaught of highly engineered spam, viruses, offers, and everything else to their emails. At the same time they are going to start getting physical spam, and scam offers, and probably are going to see telemarketing scams as well. There’s really no limit to how the information can be used for malicious purposes. Scam companies and hacking groups trying to install mallware and spyware are extremely efficient and proficient at developing well planned attacks on unsuspecting users. There are millions of computers called zombie computers because they are being used to send spam and other malicious activities without the knowledge of their owners. Expect some more.

As to the encrypted passwords. Websites typically use 1-way hashing mechanisms for password storage. This means that the password is encrypted, but cannot be decrypted by any reasonable means. The caveat to this is that if the hacker knows how the password was hashed, they can create a huge list of hashes and compare them to find the original. This is a very targeted attack, but with 24 million passwords it’s worth a lot of effort. They will begin finding real password very quickly if they discover the hashing mechanism. Since many users do not use unique passwords between websites, the direct loss from being able to log into user’s bank accounts, or other websites will be significant. I always recommend using a unique password with every site you log into, and use a password manager like roboform.

The reality

The reality of this situation is that Zappos is owned by Amazon.com. I can guarantee that Zappos has some stout security in place, and yet one of the largest, most tech oriented companies on earth, just had a data loss of 24 million records. This tells me that that standards we have in place for protecting data, especially non-sensitive data, are not enough. We should not just be protecting financially sensitive data, but all customer data. Sure there may be no direct cost in replacing bank cards, or obtaining new bank account numbers, stopping checks, or posting chargebacks, but the effect to the customer when you lose their data can be remarkable. We’ve yet to see the actual damages that this breach causes, but with the sheer amount of information out there, there could be substantial damages.

In case you haven’t been paying attention to the US political landscape, there is currently a bill in progress dubbed the great American firewall. It is a thoughtless overreaching nightmare’ish bill that claims to be for preventing copyright infringement.

Please read up and understand the implications of what this bill will do. There has never been a more 1984esque bill to be taken up by both houses of congress. It is absolutely ridiculous that our country would go this far just to help the massive media corporations under the veil that they are doing it for the good of the people. While supportable in concept, this is one of those “the road to hell was paved with good intentions” bills in what it will actually do.

Please contact your congress person and oppose this bill.

We’ve just completed a simple credit card logo generator and have included an API for web designers to use as well.

The API supports different logos for card issuers, paypal, google checkout and a few other. A developer can use the API to specify the size, background color and the order of the logos that they need on their website.

Update 08-2011 – Added ebillme and 2checkout.com logos.

Here’s a quick tutorial and a few examples of how to use the API.

1. Create an image tag with the root url: https://www.merchantequip.com/image/
2. Next add the bgcolor parameter to specify a 3 or 6 character HEX background color for your logo. If you do not know the background color: FFF is white, 000 is black. Here is a full HEX color chart. There are also a variety of browser addons if you need to match the exact colors of your website.
3. Next specify the actual logos that you would like to add to your site, in the order you would like to display them. Separate the logos with a pipe | character. Example: v|m|a|d for Visa then MasterCard followed by Amex and Discover.All of the available logo codes are:
   • v = Visa
   • m = MasterCard
   • d = Discover
   • a = Amex
   • g = Google Checkout
   • p = Paypal
   • bml = Bill Me Later
   • ec = eCheck
   • jcb = JCB
   • dc = Diners Club
   • s = Solo
   • me = Maestro
   • mb = Moneybookers
   • az = Amazon Payments
   • in = Interac
   • ebm = eBillme
   • 2co = 2checkout.com
4. Finally specify the height of the logos. The images currently come in 32px and 64px, so size accordingly allowing for a small margin around the images. We will be allowing for dynamic resizing in the future, but for now the only 2 sizes supported are 32px and 64px. Any additional height will be added as a margin.

The actual image url should look like (these are all generated through this exact API):

https://www.merchantequip.com/image/?bgcolor=FFFFFF&logos=v|m|a|d&height=32

The image HTML will look like:

<img src=”https://www.merchantequip.com/image/?bgcolor=FFFFFF&logos=v|m|a|d&height=32″ />

The logo above will display as:

Here’s the same logo using the larger image sizes:

Here’s all of the currently available logos:

While this tool is free to use we greatly appreciate a backlink or credit if you are using images that are hosted through the API. These images are all served securely over SSL, so they may be used on secure/SSL websites and ecommerce sites without errors.

If you have no idea of what an API is or just need logos for your website, please use the credit card logo generator and ignore this post.

Thanks again.

By now, the majority of merchants in the US have been informed of some impending IRS reporting requirements for their merchant account. I blogged about this congressional mandate several years ago and since we’re finally past the day of reckoning, let’s revisit how this is exactly going to affect your merchant account and your business.

An Overview

Some time back, the IRS decided that they wanted to see a report of all the money that a merchant processes through their merchant account over the year.

While this is a nearly useless number because as we all know, most businesses also accept cash, checks, and other currency, it will in theory catch the most egregious tax evading businesses. Basically, the few fractions of a percent of businesses that grossly cheat on their tax returns “could” get caught. Regardless of the absurdity of requiring the entire country disclose their processing volumes, here we are…

Now for this to work, your processor has to file a 1099 form with the IRS. This is a seemingly simple task. However, for this to actually work, your business information with your processor must exactly match what the IRS has on file. This includes business name, address, your tax id, etc. Things as simple as capitalized letters, a single space, and punctuation will cause a mismatch. You get a new tax id after opening up a merchant account. You signed your application with only your SSN and not your tax id number. Things like this will cause errors. Since it’s rare that merchants fill out their merchant applications with the exact same business information, with the exact same capitalization, and spaces as they do when they fill out their tax information, and nothing changes with their business-IRS relationship, it’s fair to say a lot of tax reporting information will not be valid.

So, what if the tax information is not valid?

So, here comes the nasty part. The IRS mandates that your processor will withhold 28% of all credit card payments until the errors are corrected. Yes, 28% of all of your credit card sales with be held until you fix whatever information is incorrect. And, even if you fix the problem, you wont get that 28% back until the end of the year.

More fees

Most likely you have or will receive notice that you are going to be charged for the work required to verify and prepare this massive undertaking. I’ve seen everything from several hundred $ per year, to a few $ per month. The reason you are being charged this fee is that it actually requires a lot of work to verify and prepare one of these documents for a merchant. Processors often have thousands, or tens of thousands of merchants, which translates into thousands of man hours in just the initial verification, not even taking into account contacting every merchant that has errors to obtain the correct information. If you didn’t authorize e-file for your 1099, your processor needs to mail you a physical form.

Exceptions

The exceptions to the filing requirements are:

1. a merchant’s total payment transactions for the year does not exceed $20,000, and
1. the total number of transactions does not exceed 200

In which case your processor will not need to file a report. This may consist of a good percentage of businesses out there, but most full-time businesses process more than $20,000 per year.

Conclusion

It’s unfortunate that the reporting regulation was ever passed. It’s a useless piece of legislation that creates a lot more work for small businesses and it’s unlikely that the reporting will catch any but the worst tax offenders. But, it’s passed and taking effect and there’s not much any of us can do about it at this point. No matter who you process credit cards with, keep a close eye on the mail and your processing statements for instructions on how to verify your information. My recommendation is to take it very seriously to avoid the 28% withholding.

First off, I wish everyone a great 4th of July weekend. Banks will be closed on Monday and it looks like most people are starting their weekend today anyway. Be safe this weekend and be very careful with fireworks if you live in one of the drought stricken areas like myself.

The past month has brought monumental changes to the payment processing industry.

Mobile frenzy

Mobile payments seem to be on the fast track with just about every tech related company steaming ahead at trying to be the first with a workable and widely adopted mobile payment method. Even Google has jumped in, despite Paypal’s arguments, and hopes to be a major player in mobile payments. If the Google Checkout service is any indicator of Google’s success in mobile payments, they simply aren’t going to make it. However, with their success in the mobile android operating system, and their already massive relationship with businesses, Google may have a chance at something.

Debit Interchange Regulation

The biggest news of the month, is the regulation of debit interchange. After fierce battling for more than a year, debit interchange is to be regulated to $.21 per transaction and .05% per transaction. As written, this applies to all debit card transactions, PIN or signature as well as Ecommerce/MOTO transactions. It’s not entirely clear when and how this will take effect but stay tuned over the next months.

The biggest winners in this regulation are once again the super retailers who process millions of transactions per year. Small and medium size merchants can expect savings, but it will not likely be anything as monumental as the Walmart’s and Amazon.com’s out there. There’s going to be a lot of misinformation flying and aggressive marketing over the next year as many processors will take advantage of the turmoil, misinformation, and instability in the merchant account industry. I would strongly suggest exercising caution in anyone making sensational claims about lowering your rates. Major industry changes offer the greatest opportunity to get scammed into a bad merchant account. Just remember that almost every processor has roughly the same hard costs, so if they are unrealistically lowering fees in one place, they have to make them up somewhere else.

Expect major checking account changes

As a result of banks losing roughly 50% of their revenue from debit cards, we should all expect drastic changes to our personal and business checking accounts over the next year. I know that all of my business and personal debit rewards have been canceled over the past 3 months. I think that debit rewards are the tip of the iceberg, and we should expect changes in debit and checking account fees and overall debit availability over the coming months. Some smaller banks have rumored that they will be dropping debit cards completely, so it will be interesting to see where this all ends up a year from now.

It’s a mute point to argue my position on the interchange regulation at this time. Retailers may be chocking this up as a victory, but don’t start celebrating yet. This regulation may seem like a small amount. Personally I think this regulation will change the way we do banking in the US, and could very well effect the entire retail economy, not necessarily in a good way. The next few years will give us a better picture of what these regulation have done to the retail industries and checking accounts.